View Issue Details

IDProjectCategoryView StatusLast Update
0004954OXID eShop (all versions)4.07. Source code, Testpublic2013-02-22 11:06
Reporterd3 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version4.7.4 / 5.0.4 revision 57063 
Summary0004954: missing getViewName() in SQL statements
Descriptionoxorder::_setOrderStatus( $sStatus ):
$sQ = 'update oxorder set oxtransstatus='.$oDb->quote( $sStatus ).' where oxid='.$oDb->quote( $this->getId() );

better:
$sViewName = $this->getCoreTableName();
$sQ = 'update '. $sViewName .'set oxtransstatus='.$oDb->quote( $sStatus ).' where oxid='.$oDb->quote( $this->getId() );

More examples:

oxorder::_updateOrderDate():
$sQ = 'update oxorder set oxorderdate=\''.$sDate.'\' where oxid='.$oDb->quote( $this->getId() );

oxorder::_setNumber():
$sQ = "update oxorder set oxordernr = $iCnt where oxid = ?";

oxorder::getInvoiceNum():
$sQ = 'select max(oxorder.oxinvoicenr) from oxorder where oxorder.oxshopid = "'.$this->getConfig()->getShopId().'" ';

There are much more handlings like theese, also in other classes:

oxarticle::reduceStock($dAmount, $blAllowNegativeStock = false)
$oDb->execute( 'update oxarticles set oxarticles.oxstock = '.$oDb->quote( $iStockCount ).' where oxarticles.oxid = '.$oDb->quote( $this->getId() ) );

TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Activities

Linas Kukulskis

2013-02-22 11:06

reporter   ~0008441

fixed some queries with missing quoting. using getCoreTableName() methid in query construction, not necessary it is normal use real table name in insert, update, delete queries. but we take this bug as a not for future to make one standard for queries, which selects data ( with used getViewName() ) and other queries.